How To: Integrating Azure SaaS Discovery & Utilization with Reftab

Reftab now offers automatic discovery of who has access to your SaaS platforms, and how often they utilize these platforms, by integrating with your Azure instance. In this guide, weโ€™ll give you a step-by-step look at setting this integration up:

Azure Settings
Grant Permissions
Track Software Utilization
Create Certificate and Secret
Reftab Settings


Azure Settings

The first step in this process is to setup the initial application for Azure to integrate to Reftab. 

This can be accomplished by logging into your Azure account (https://portal.azure.com), and then clicking on โ€œEnterprise Applicationsโ€ under โ€œAzure servicesโ€.

If you do not see โ€œEnterprise Applicationsโ€, then you will need to click the menu tree in the top left corner, and then click โ€œAll servicesโ€. Here you can search for โ€œEnterprise Applicationsโ€ and star the service so that it can be easily accessed from the landing page.

Once inside the Enterprise Applications page, click โ€œNew applicationโ€, then โ€œCreate your own applicationโ€. Give the application a name, something simple like โ€œReftabโ€ will suffice. Ensure that โ€œIntegrate any other application you donโ€™t find in the gallery (Non-gallery)โ€ is checked. Then press โ€œCreateโ€.

After the creation of the application, take note of the โ€œApplication IDโ€ under the โ€œPropertiesโ€ header in the page you have been brought to, this will be needed later on.

Grant Permissions

Next the application needs to be granted permissions. In order to do so, navigate to โ€œPermissionsโ€, which can be found under โ€œSecurityโ€. Then click on โ€œapp registrationโ€. Next, click on โ€œAdd a permissionโ€, and then select the โ€œMicrosoft Graphโ€ API.

Select โ€œApplication permissionsโ€ when deciding the type of permission the application requires.

Next, filter by typing in the respective box and search for โ€œApplicationโ€, expand the category and checkmark โ€œApplication.Read.Allโ€.

Next, we will filter once again but for โ€œUserโ€, scroll down until you locate the โ€œUserโ€ category, expand the category, and checkmark โ€œUser.Read.Allโ€.  

Once permissions have been added, click on โ€œGrant admin consent for Default Directoryโ€, then click โ€œYesโ€ on the confirmation popup. Ensure the warning status turn green for both permission nodes once consent is granted.

Additional Permissions Required to Track Software Utilization

Additionally, if you want to take advantage of the new usage features our SaaS Discovery integrations offer, you will want to grant the application permission to read all audit log data. The permission node for this would be AuditLog.Read.All, as shown below:

Reftab’s new utilization feature streamlines the tracking of software usage, making it simple to identify underutilized software licenses. This allows for more efficient management of your licenses, ensuring you’re getting the most out of your investments. Additionally, the new login charts and columns provide detailed insights into user activity, helping you understand how frequently the software is being used.

You can learn more about the Okta and Azure SaaS utilization feature here!

Create Certificate and Secret

Next, create a new client secret by navigating to โ€œCertificates & secretsโ€ on the left-hand menu, click โ€œNew client secretโ€, then enter a short description. โ€œReftabโ€ will be adequate. Set your expiration timeframe, the recommended is 180 days by default. Then click โ€œAddโ€ to create the client secret.

Take note of the string under the โ€œValueโ€ column, as it will be needed later.

**This is the only time that this value will be visible**

Last, grab the OAuth 2.0 token endpoint (v2). This can be found by navigating to โ€œOverviewโ€ on the same page, and clicking on โ€œEndpointsโ€. The URL will be the second line item in the screenshot below. Take note of this, as it will also be needed in the next steps.


Reftab Settings

Now that things are setup on the Azure side, log into your Reftab account: https://www.reftab.com/login

Next, click on โ€œSettingsโ€, then โ€œIntegrationsโ€, then finally click on โ€œConfigureโ€ for Azure SaaS Discovery.

Now input your endpoint url into the โ€œAzure Oauth2 Token Endpointโ€ field. Then input your Application ID into the โ€œClient IDโ€ field, then last input your client secret value into the โ€œClient Secretโ€ field. Next click โ€œSave Azure Settingsโ€. Then click โ€œRefresh Azure Applicationsโ€. Your Azure application will now populate.

..and there you have it! You have successfully integrated Azure SaaS Discovery w/ Reftab! You can now create subsequent applications for each license you would like to have automatically assigned to users in Reftab.


For questions, email โ€˜[email protected]โ€™